Zero Trust for a small SaaS team: where to start
What Zero Trust actually means
Zero Trust is built on a simple principle: trust nothing and no one by default. Every access must be verified, every connection authenticated, every request authorized — even from inside the network.
For a 15-person HR SaaS startup, this might sound excessive. But Zero Trust principles can be applied with simple, free tools.
5 principles you can apply today
1. Remove permanent access
How many people on your team have permanent access to the production database? If the answer is "all developers," you have a problem.
Action: limit production access to 2 people maximum. Use temporary access (just-in-time) via tools like Teleport or even a simple script that grants access for 1 hour after approval.
2. MFA everywhere
Not just on your application. On everything:
A single compromised account without MFA can give access to your entire infrastructure.
3. Least privilege principle
Every team member should only have the access strictly necessary for their work. The designer doesn't need database access. The sales rep doesn't need Git repository access.
Do an inventory of every member's access quarterly. Revoke what's no longer needed.
4. Segment your environments
Your development environment shouldn't be able to reach production. Your internal APIs shouldn't be exposed to the internet. Your marketing site shouldn't be on the same infrastructure as your application.
5. Log and audit
Every sensitive action should be traced: who accessed what, when, from where. Not to surveil employees — to detect anomalies.
A developer connecting at 3 AM from a country they're not in is an alert. A full candidate database export on a Friday evening is an alert.
Tools for a small team
| Need | Free/affordable tool |
|------|---------------------|
| MFA | Google Authenticator, Authy |
| Temporary access | Teleport Community, custom scripts |
| Access inventory | Spreadsheet + quarterly review |
| Logging | Native logs from your cloud services |
| Secret management | Doppler, Infisical (free for small teams) |
Where to start
Don't try to do everything in one week. Start with:
These 4 actions take one day and significantly reduce your attack surface.
CleanIssue's Ongoing Monitoring includes a regular review of your Zero Trust posture: we verify that access stays minimal, configurations haven't drifted, and new integrations respect established principles.
Go further
Related articles
Three adjacent analyses to keep exploring the same attack surface.
MFA in HR SaaS: why 62% of French vendors still don't offer it
Multi-factor authentication is a standard. Yet the majority of French HR SaaS products don't offer it to their users. Analysis of barriers and solutions.
File uploads in an HRIS: a practical security guide
File upload features are everywhere in HR SaaS. They're also one of the most underestimated attack vectors.
Fixing vulnerabilities: step-by-step remediation guide for developers
How to implement fixes after a security audit. RLS code, authentication, API — concrete examples.
Sources
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.